AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.

•

1 like•314 views

Securing single page applications can cause some problems. Discover how JSON web tokens can help you and what the future of authentication is like.

Internet

Sam Bellen
● Developer Evangelist at Auth0
● Google Developer Expert
● Co-organizer Fronteers
meetups Belgium
● I tweet as @sambego

Traditional web app
VS
Single page application

Single page architecture
app.sambego.be api.sambego.be
user.sambego.be
pay.sambego.be

Multi app architecture
app.sambego.be
api.sambego.beMobile app
Desktop app

What are some of the problems
with the traditional cookie based
approach?

app.sambego.be api.sambego.be user.sambego.be

These are the steps we have to
take to access an protected
resource
1. User fills in login form
2. We pass that data to an authentication
endpoint
3. The authentication endpoint returns an
access token
4. We send along this access token with each
request for protected data

app.sambego.be
api.sambego.be
account.sambego.be

Will the user have to login with
every visit?

With each next visit we will request
the tokens again

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz
dWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZ
SI6IlNhbSIsImZhbWlseV9uYW1lIjoiQmVsbGVuI
iwicHJlZmVycmVkX3VzZXJuYW1lIjoiU2FtYmV
nbyIsImlhdCI6MTUxNjIzOTAyMn0.8dgxpiPlES
mjugv2GynQiY9a5LrGvWVKW5RI6eoch9A

A JSON Web token is made from 3
different parts
● The header
● The payload
● The signature

$Payload { "sub": "1234567890", "given_name": "Sam", "family_name": "Bellen", "preferred_username": "Sambego", "iat": 1516239022 }$

Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
✨your-256-bit-secret✨
)

Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
this-is-a-super-secret-key
)

Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
nPilVwFjcF0v5NL5YT1xsiwRJCGqM1do
)

Web Authentication API
https://www.w3.org/TR/webauthn/

Web Authn
https://www.w3.org/TR/webauthn/

That’s not new, we’ve had
passwordless login for a while now

api.sambego.be
123434
123123
987213
783541

What's hot

Web Development and Web Development technologies - Temitayo FadojutimiTemitayo Fadojutimi

AMP and WordPressbillerickson

Scaffolding in One Asp.NetLohith Goudagere Nagaraj

Anatomy of a Progressive Web AppMike North

Headless CMS for Digital Agencies - Case Study by Andy ThompsonKentico Software

Develop:BBC 2013 - Turbocharge your mobile web apps by using offlineJan Jongboom

Universal apps lightning talk Elyse Kolker Gordon

Make your animations perform well - Anna Migas - Codemotion Rome 2017Codemotion

Intro to Web DevelopmentVinay Shriyan, Certified ScrumMaster® (CSM)

Improving Dashboards with open content sharingLachlan Hardy

[Phpcamp]Shindig An OpenSocial containerBipin Upadhyay

Php Camp Open SocialBipin Upadhyay

WebFest 2011 WebMatrix Overview by Gavin WarrenerSpiffy

WordPress Themes deployment, licensing and automatic updates Marius Cristea

Finding the sweet spot - blending the best of native and webShawn Jansepar

REST API for JoomlaParth Lawate

DeveloperWeek2018 - Let's Build a ChatbotTessa Mero

ASP.NETRobert MacLean

Security Webinar: Harden the Heart of Your WordPress SiteSeWP Engine

Building SaaS with WordPress - WordCamp Netherlands 2016Mario Peshev

What's hot (20)

Web Development and Web Development technologies - Temitayo Fadojutimi

AMP and WordPress

Scaffolding in One Asp.Net

Anatomy of a Progressive Web App

Headless CMS for Digital Agencies - Case Study by Andy Thompson

Develop:BBC 2013 - Turbocharge your mobile web apps by using offline

Universal apps lightning talk

Make your animations perform well - Anna Migas - Codemotion Rome 2017

Intro to Web Development

Improving Dashboards with open content sharing

[Phpcamp]Shindig An OpenSocial container

Php Camp Open Social

WebFest 2011 WebMatrix Overview by Gavin Warrener

WordPress Themes deployment, licensing and automatic updates

Finding the sweet spot - blending the best of native and web

REST API for Joomla

DeveloperWeek2018 - Let's Build a Chatbot

ASP.NET

Security Webinar: Harden the Heart of Your WordPress SiteSe

Building SaaS with WordPress - WordCamp Netherlands 2016

Similar to AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.

Agencies Developer ProductsJeff Eddings

API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy

Frontend development of the (current) futureFilip Bruun Bech-Larsen

Future of the WebFilip Bruun Bech-Larsen

The Future of the webFilip Bruun Bech-Larsen

WebapiJan Jongboom

Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar SeriesAmazon Web Services

Modern Web 2016: Using Golang to build a smart IM Bot Evan Lin

Mobile devices and SharePointmaliksahil

Mobile Devices and SharePoint - Sahil MalikSPC Adriatics

Zero cost serverless Real time web appBarcamp Saigon

Application Lifecycle ManagementAmazon Web Services

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services

Optimizely Developer ShowcaseOptimizely

Frontend State of the unionFilip Bruun Bech-Larsen

App dev-developing a backend service java using Pub/Sub google cloudOuijden Dhemaid

Windows Store: Top Learnings from the first Belgian Windows 8 appsMicrosoft Developer Network (MSDN) - Belgium and Luxembourg

Creating mobile apps - an introduction to Ionic (Engage 2016)Mark Leusink

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services

Similar to AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens. (20)

Agencies Developer Products

API Security - OWASP top 10 for APIs + tips for pentesters

Frontend development of the (current) future

Future of the Web

The Future of the web

Webapi

Getting Started With Continuous Delivery on AWS - AWS April 2016 Webinar Series

Modern Web 2016: Using Golang to build a smart IM Bot

Mobile devices and SharePoint

Mobile Devices and SharePoint - Sahil Malik

Zero cost serverless Real time web app

Application Lifecycle Management

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Optimizely Developer Showcase

Frontend State of the union

App dev-developing a backend service java using Pub/Sub google cloud

Windows Store: Top Learnings from the first Belgian Windows 8 apps

Creating mobile apps - an introduction to Ionic (Engage 2016)

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Recently uploaded

A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton

Font Performance - NYC WebPerf Meetup April '24Paul Calvano

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs

NSX-T and Service Interfaces presentationMarko4394

Contact Rya Baby for Call Girls New Delhimiss dipika

Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1

Film cover research (1).pptxsdasdasdasdasdasa494f574xmv

定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs

Git and Github workshop GDSC MLRITMgdsc13

Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard

Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan

定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29

办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco

Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29

PHP-based rendering of TYPO3 DocumentationLinaWolf1

Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss

Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah

Recently uploaded (20)

A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)

Font Performance - NYC WebPerf Meetup April '24

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一

NSX-T and Service Interfaces presentation

Contact Rya Baby for Call Girls New Delhi

Blepharitis inflammation of eyelid symptoms cause everything included along w...

Film cover research (1).pptxsdasdasdasdasdasa

定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一

Git and Github workshop GDSC MLRITM

Magic exist by Marta Loveguard - presentation.pptx

Call Girls Near The Suryaa Hotel New Delhi 9873777170

定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书

办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书

Top 10 Interactive Website Design Trends in 2024.pptx

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书

PHP-based rendering of TYPO3 Documentation

Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一

Q4-1-Illustrating-Hypothesis-Testing.pptx

AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.

1. Securing PWAs

2. Sam Bellen ● Developer Evangelist at Auth0 ● Google Developer Expert ● Co-organizer Fronteers meetups Belgium ● I tweet as @sambego

3. Traditional web apps

10.

11.

12. Any questions so far?

13. Traditional web app VS Single page application

14. Traditional architecture

15. Single page architecture app.sambego.be api.sambego.be user.sambego.be pay.sambego.be

16. Multi app architecture app.sambego.be api.sambego.beMobile app Desktop app

17. What are some of the problems with the traditional cookie based approach?

18. Cookies don’t like CORS

19. Cookies require state

20. Cookies don’t flow

21. app.sambego.be api.sambego.be user.sambego.be

22. So what’s the solution?

23. Token based authentication

24. OAuth

25. OpenID Connect

26.

27.

28.

29.

30.

31.

32.

33.

34. These are the steps we have to take to access an protected resource 1. User fills in login form 2. We pass that data to an authentication endpoint 3. The authentication endpoint returns an access token 4. We send along this access token with each request for protected data

35. OpenID Connect

36. app.sambego.be api.sambego.be account.sambego.be

37. app.sambego.be api.sambego.be account.sambego.be

38. app.sambego.be api.sambego.be account.sambego.be

39. app.sambego.be api.sambego.be account.sambego.be

40. app.sambego.be api.sambego.be account.sambego.be

41. app.sambego.be api.sambego.be account.sambego.be

42. Will the user have to login with every visit?

43. The login flow remains the same

44. app.sambego.be api.sambego.be account.sambego.be

45. With each next visit we will request the tokens again

46. app.sambego.be api.sambego.be account.sambego.be

47. app.sambego.be api.sambego.be account.sambego.be

48. app.sambego.be api.sambego.be account.sambego.be

49. Does this approach solve CORS?

50. Does this approach solve flow?

51. Does this approach solve keeping state?

52. Some questions by now?

53. What the #&$* is a token?

54. JSON Web Token

55. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz dWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZ SI6IlNhbSIsImZhbWlseV9uYW1lIjoiQmVsbGVuI iwicHJlZmVycmVkX3VzZXJuYW1lIjoiU2FtYmV nbyIsImlhdCI6MTUxNjIzOTAyMn0.8dgxpiPlES mjugv2GynQiY9a5LrGvWVKW5RI6eoch9A

56. A JSON Web token is made from 3 different parts ● The header ● The payload ● The signature

57. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz dWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZ SI6IlNhbSIsImZhbWlseV9uYW1lIjoiQmVsbGVuI iwicHJlZmVycmVkX3VzZXJuYW1lIjoiU2FtYmV nbyIsImlhdCI6MTUxNjIzOTAyMn0.8dgxpiPlES mjugv2GynQiY9a5LrGvWVKW5RI6eoch9A

58. Header { "alg": "HS256", "typ": "JWT" }

59. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz dWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZ SI6IlNhbSIsImZhbWlseV9uYW1lIjoiQmVsbGVuI iwicHJlZmVycmVkX3VzZXJuYW1lIjoiU2FtYmV nbyIsImlhdCI6MTUxNjIzOTAyMn0.8dgxpiPlES mjugv2GynQiY9a5LrGvWVKW5RI6eoch9A

60. Payload { "sub": "1234567890", "given_name": "Sam", "family_name": "Bellen", "preferred_username": "Sambego", "iat": 1516239022 }

61. Reserved claims

62. Public claims

63. Private claims

64. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz dWIiOiIxMjM0NTY3ODkwIiwiZ2l2ZW5fbmFtZ SI6IlNhbSIsImZhbWlseV9uYW1lIjoiQmVsbGVuI iwicHJlZmVycmVkX3VzZXJuYW1lIjoiU2FtYmV nbyIsImlhdCI6MTUxNjIzOTAyMn0.8dgxpiPlES mjugv2GynQiY9a5LrGvWVKW5RI6eoch9A

65. Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), ✨your-256-bit-secret✨ )

66. JWTs can be verified!

67. Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), ✨your-256-bit-secret✨ )

68. Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), this-is-a-super-secret-key )

69. Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), nPilVwFjcF0v5NL5YT1xsiwRJCGqM1do )

70. jwt.io

71. Demo time!

72. The future of authentication?

73. Web Authentication API https://www.w3.org/TR/webauthn/

74. Web Authn https://www.w3.org/TR/webauthn/

75. No more passwords! 🎉

76. That’s not new, we’ve had passwordless login for a while now

77. Loggin in with an authenticator device

78. api.sambego.be

79. api.sambego.be 123434 123123 987213 783541

80. api.sambego.be 123434 123123 987213 783541

81. api.sambego.be Public Key

82. api.sambego.be Public Key

83. Demo time!

84. Who has an authenticator device?

85. One last time, any questions?

86. Thanks! @sambego

AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.

Similar to AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens. (20)

Recently uploaded

Recently uploaded (20)

AP Hogeschool - Knock knock, who's there? Authenticating your single page apps using JSON Web Tokens.